[PATCH] pac-glue: fix delegation info blob
Isaac Boukris
iboukris at gmail.com
Thu May 30 13:23:21 UTC 2019
Hi Stefan!
FYI, here are some thoughts on these bugs.
On Thu, May 30, 2019 at 9:30 AM Stefan Metzmacher <metze at samba.org> wrote:
>
> As reference here are the open bugs:
>
> S4U2Proxy requests with encrypted authorization-data are rejected by a
> Samba KDC
> https://bugzilla.samba.org/show_bug.cgi?id=13131
Not sure I hit exactly this, but in MIT I had to filter out client
provided authorization data to make things work.
> The content of the S4U_DELEGATION_INFO PAC element is filled wrong by a
> Samba KDC
> https://bugzilla.samba.org/show_bug.cgi?id=13133
As mentioned, when chasing rbcd referrals it looks like Windows KDC
trust partner would process this blob and make sure S4U2proxyTarget
field is the same as the currently requested server. On the other
hand, it looks like it doesn't care about S4UTransitedServices too
much, as I could send an irrelevant list and it worked fine.
Also, in these cases (constrained delegation referral chasing) the KDC
does *not* increment the TransitedListSize field, unlike what's stated
in MS-SFU 3.2.5.2.2 (I think the doc is wrong, as the list should not
grow since the impersonator does not change).
> Padding/alignment of PAC elements is done wrong on Samba KDCs
> https://bugzilla.samba.org/show_bug.cgi?id=13134
Do you know of any impact of this?
> S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks
> (authtime mismatch)
> https://bugzilla.samba.org/show_bug.cgi?id=13137
So if I get this right, it should reproduce if the evidence ticket and
the constrained delegation ticket are not acquired with the same TGT,
like:
$ kinit
$ kgetcred --out-cache=out --impersonate=user intermediate_service
$ kinit
$ kgetcred --delegation-credential-cache=out proxy_target_service
BTW, I think MIT would be fine in this regards.
Thanks,
Isaac
More information about the samba-technical
mailing list